The Error
I'm developing several apps that use web workers and all of them are kind of broken using the latest Chrome V63.0.3230.132.
This is the error message I see on the console:
[Report Only] Refused to create a worker from 'http://localhost:8080/d04af186322390d53036.worker.js' because it violates the following Content Security Policy directive: "worker-src 'none'".
I've also noticed some other sites behaving the same way.
Apparently, it doesn't matter how one creates that worker. I tried it in a react app using worker-loader, but also in a plain JS demo where I created it manually. The error remains the same.
What I tried
I've got all the CSP headers in place, and also updated my manifest.json files with the correct CSP entry to no avail.
All other browsers are working fine.
Can someone confirm or explain this behavior?
The Error
I'm developing several apps that use web workers and all of them are kind of broken using the latest Chrome V63.0.3230.132.
This is the error message I see on the console:
[Report Only] Refused to create a worker from 'http://localhost:8080/d04af186322390d53036.worker.js' because it violates the following Content Security Policy directive: "worker-src 'none'".
I've also noticed some other sites behaving the same way.
Apparently, it doesn't matter how one creates that worker. I tried it in a react app using worker-loader, but also in a plain JS demo where I created it manually. The error remains the same.
What I tried
I've got all the CSP headers in place, and also updated my manifest.json files with the correct CSP entry to no avail.
All other browsers are working fine.
Can someone confirm or explain this behavior?
Share Improve this question edited Jan 18, 2018 at 8:33 Xceno asked Jan 17, 2018 at 10:27 XcenoXceno 9131 gold badge9 silver badges22 bronze badges 1- I'm having a similar problem – Chase Commented Jan 30, 2018 at 5:06
2 Answers
Reset to default 17Upd: in this case the issue was root-caused to having uMatrix plugin installed and enabled. Even when the plugin switched off the issue did remain. So there are two ways to workaround those confusing errors:
- Disable uMatrix pletely in the Extension/Plugins menu in the browser. Using a built in "turn off" button in uMatrix will not help.
- Just let it go and ignore the warning.
The details are here https://github./gorhill/uMatrix/issues/926#issuement-359905357
Initial reply for history.
Xceno, did you confirm that Chrome really fails to load the worker?
I see the exact same error, but... the SW actually works. Maybe this is just a false-positive bug from Chrome.
Here is my code and what I see in console
navigator.serviceWorker.register('/sw.js').then(function(registration) {
console.log('ServiceWorker registration successful with scope: ', registration.scope);
// ... some other code
}
Console output:
defer.js:36 [Report Only] Refused to create a worker from 'https://.../sw.js' because it violates the following Content Security Policy directive: "worker-src 'none'".
defer.js:37 ServiceWorker registration successful with scope: https://.../
In my case SW was in fact successfully installed and worked as designed.
As promised — here are the headers. I was unable to put them as a ment. As you can see I don't have CSP headers explicitly and the only one related to security are x-content-type-options and x-frame-options. That's it. Hope it helps somehow.
content-type: text/html; charset=UTF-8
cache-control: must-revalidate, no-cache, private
x-ua-patible: IE=edge
content-language: en
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
expires: Sun, 19 Nov 1978 05:00:00 GMT
vary: Accept-Encoding
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare./cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 3e91b05aabb05540-ORD
content-encoding: br
x-firefox-spdy: h2